---
title: "Secure Meteor APIs with API Key Authentication"
description: "Secure your Meteor API using a shared secret."
canonicalUrl: "https://zuplo.com/use-cases/api-key-auth/javascript/meteor/secure-header"
framework: "Meteor"
language: "JavaScript"
authStrategy: "shared secret header"
pageType: use-case
---

# Secure Meteor APIs with API Key Authentication

Secure your Meteor API using a shared secret.

## How Zuplo Handles It

Put Zuplo in front of your Meteor backend to authenticate API keys and forward a shared secret header so your origin only accepts traffic from Zuplo.

## Meteor Backend Code

```javascript
import { Meteor } from "meteor/meteor";
import { WebApp } from "meteor/webapp";
import crypto from "crypto";

// Middleware to validate shared secret header
const validateSharedSecret = (req, res, next) => {
  const secret = req.headers["x-shared-secret"];
  const expectedSecret = process.env.SHARED_SECRET;

  if (!expectedSecret) {
    res.writeHead(500, { "Content-Type": "application/json" });
    res.end(JSON.stringify({ error: "Server configuration error" }));
    return;
  }

  if (!secret) {
    res.writeHead(401, { "Content-Type": "application/json" });
    res.end(JSON.stringify({ error: "No secret provided" }));
    return;
  }

  // Use timing-safe comparison to prevent timing attacks
  if (
    secret.length !== expectedSecret.length ||
    !crypto.timingSafeEqual(Buffer.from(secret), Buffer.from(expectedSecret))
  ) {
    res.writeHead(401, { "Content-Type": "application/json" });
    res.end(JSON.stringify({ error: "Invalid secret" }));
    return;
  }

  next();
};

// Insert middleware into the WebApp connect handler
WebApp.connectHandlers
  .use(validateSharedSecret)
  .use("/protected", (req, res, next) => {
    res.writeHead(200, { "Content-Type": "application/json" });
    res.end(
      JSON.stringify({
        message: "Access granted",
      }),
    );
  });
```

## Example Request

```bash
curl -X GET \
  'https://your-api.zuplo.dev/your-route' \
  -H 'Authorization: Bearer YOUR_API_KEY'
```

## Learn More

- [API Key Authentication on Zuplo](https://zuplo.com/docs/policies/api-key-auth-inbound)
- [JWT Authentication on Zuplo](https://zuplo.com/docs/policies/open-id-jwt-auth-inbound)
- [All use cases](https://zuplo.com/use-cases)